Banzai Cloud Pipeline allows creating PKE clusters that authenticate users based on OpenID Connect Tokens issued by an OIDC issuer — Dex in case of Pipeline). When requested during cluster creation, Pipeline will automate all the steps needed to setup such a cluster and configure the RBAC roles for each organization role.
To create an OIDC enabled PKE cluster with the Banzai CLI on Azure you have to execute the following request:
banzai cluster create <<EOF
{
"name": "banzai-oidc-azure",
"location": "northeurope",
"secretId": "b075b18d6e273c802744f832e3f4cb807b72922e92f203af671a45d3bbe3c658",
"type": "pke-on-azure",
"resourceGroup": "banzaicloud-dev",
"nodePools": [
{
"name": "master",
"roles": [
"master"
],
"instanceType": "Standard_D2s_v3",
"autoscaling": false,
"count": 1,
"minCount": 1,
"maxCount": 1
},
{
"name": "pool1",
"roles": [
"worker"
],
"instanceType": "Standard_B2s",
"autoscaling": false,
"count": 1,
"minCount": 1,
"maxCount": 1
}
],
"kubernetes": {
"version": "1.15.3",
"rbac": true,
"network": {
"serviceCIDR": "10.32.0.0/24",
"podCIDR": "10.200.0.0/16",
"provider": "weave"
},
"cri": {
"runtime": "containerd"
},
"oidc": {
"enabled": true
}
}
}
EOF
To get your personal OIDC authenticated configuration of the provisioned cluster visit the following URL in your browser, and allow the cluster to request an ID Token for you (you will have to allow Dex to request user details from the configured upstream identity provider):
open https://{PIPELINE_HOST}/pipeline/api/v1/orgs/{orgID}/clusters/{clusterID}/oidcconfig
This Kubernetes configuration contains a personal OIDC user, which is bound to the RBAC roles of your organization setup.